一键导入
validating-deployments
End-of-session validation for MI and OBO deployment paths. Use after code changes to verify deploy → test → teardown works end-to-end.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
End-of-session validation for MI and OBO deployment paths. Use after code changes to verify deploy → test → teardown works end-to-end.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | validating-deployments |
| description | End-of-session validation for MI and OBO deployment paths. Use after code changes to verify deploy → test → teardown works end-to-end. |
Run this at the end of any session that changes backend, frontend, infra, or auth code.
dotnet test + npm test)npm run build)az bicep build --file infra/main.bicep)npx playwright install chromium)Run before every deployment:
# Backend: check for vulnerable NuGet packages
cd backend && dotnet list package --vulnerable
# Frontend: check for vulnerable npm packages
cd frontend && npm audit
# Docker: lint Dockerfile for security issues (if hadolint installed)
hadolint deployment/docker/frontend.Dockerfile
The Dockerfile runs as non-root (USER app). Verify this hasn't been removed after changes.
azd env new mi-test --no-prompt
azd env set ENTRA_SERVICE_MANAGEMENT_REFERENCE "<guid-from-admin>" # Required by some orgs
azd env set AZURE_LOCATION eastus2 --no-prompt
azd up --no-prompt
$endpoint = azd env get-value WEB_ENDPOINT
node deployment/scripts/smoke-test.js $endpoint
Verify: health 200, agent name displayed, chat streaming works, token usage visible.
cd backend/WebApp.Api
$env:ASPNETCORE_ENVIRONMENT = "Development" # CRITICAL — without this, uses ManagedIdentityCredential which fails locally
$env:ASPNETCORE_URLS = "http://localhost:8080"
dotnet watch run --no-launch-profile &
cd ../../frontend
npm run dev &
# Wait for both servers, then:
node deployment/scripts/smoke-test.js http://localhost:5173
azd down --force --purge --environment mi-test --no-prompt
# Verify:
# - frontend/.env.local deleted
# - backend/WebApp.Api/.env deleted
# - .azure/mi-test/ deleted
# - Entra app deleted (check azd logs)
azd env new obo-test --no-prompt
azd env set ENABLE_OBO true --no-prompt
azd env set AZURE_LOCATION eastus2 --no-prompt
# No SMR needed if using a non-MSFT tenant
azd up --no-prompt
# Check backend logs for OBO mode
az containerapp logs show --name <app-name> --resource-group <rg> --type console --tail 20 | Select-String "OBO"
# Expected: "OBO mode enabled: backendClientId=..."
# Expected: "Created OBO credential for request" (after first chat)
Run smoke test. OBO requires interactive MSAL login (user must sign in with test tenant credentials). The smoke test will wait at auth if no cached session exists.
Same as MI path. Additionally verify:
| Gotcha | Detail |
|---|---|
ASPNETCORE_ENVIRONMENT=Development | Required for local dev — without it, backend tries ManagedIdentityCredential which fails on dev machines |
| SMR required | Set ENTRA_SERVICE_MANAGEMENT_REFERENCE or Entra app creation fails |
| Bicep FIC creation may fail | Graph API eventual consistency issue. Workaround: create FIC via az ad app federated-credential create |
v2 agent API requires kind: "prompt" | When creating agents via REST, use definition: { kind: "prompt", model: "...", instructions: "..." } |
OBO scope is api://{BACKEND}/Chat.ReadWrite | NOT api://{SPA}/Chat.ReadWrite. Token audience mismatch = AADSTS500131 |
| AI scope resolves to Azure ML Services | https://ai.azure.com/.default → appId 18a66f5f-... (Azure Machine Learning Services), NOT 7d312290-... (Cognitive Services) |
| Conversation history not user-scoped in MI mode | MI uses shared identity — all users see all conversations |
Provides deployment commands and troubleshooting for Azure Container Apps. Use when running azd commands, deploying containers, debugging deployment failures, or updating infrastructure in this repository.
Provides SSE streaming patterns for the chat API and frontend. Use when implementing or modifying chat streaming, handling SSE events, or troubleshooting message flow between frontend and backend.
Provides research patterns for Foundry Agent Service SDK. Use when implementing agent features, looking up SDK methods, finding code samples, or troubleshooting Azure.AI.Projects API usage.
Provides architecture overview with state machines, SSE event flow, and file mappings. Use when understanding system design, debugging state issues, or maintaining ARCHITECTURE-FLOW.md.
Provides C# and ASP.NET Core coding standards for this repository. Use when writing or modifying C# code, implementing API endpoints, configuring middleware, or working with authentication in the backend.
Diagnose and fix incomplete local development setup. Use when dev servers fail to start, env vars are missing, authentication errors occur, or before running any dev commands for the first time.